Dan Angelson Posted September 16 Posted September 16 Hello all, I have set up an Always On VPN Before Windows Logon as per Citrix' instructions and it works as intended with a machine tunnel being established using a device certificate at the Windows Logon screen and then after the user logs in, a user tunnel is established using the Windows sign-in credentials. The problem is that we are due to implement Windows Hello for Business company-wide and that means that the Secure Access client won't have a password to use to establish the User Tunnel. As a result, I want to change the config on the VPN to keep the Machine Tunnel after Windows login however I have a few security concerns I need to investigate. My main question is: Is the Netscaler only checking that the device certificate was signed by our Internal CA's Root Cert or is it also making sure that the device presenting the certificate has the private key for it? Thank you in advance! Dan
Jonnathan Rojas Murillo Posted September 16 Posted September 16 @Dan Angelson for client authentication you will require both the device certificate and that the client has the private key installed for the authentication to work, so if you look at it from that perspective both are "checked"...in other words you cannot use a certificate for device authentication for which you don't have the private key installed. HTH, Jonnathan
Dan Angelson Posted September 20 Author Posted September 20 On 9/16/2024 at 8:19 PM, Jonnathan Rojas Murillo said: @Dan Angelson for client authentication you will require both the device certificate and that the client has the private key installed for the authentication to work, so if you look at it from that perspective both are "checked"...in other words you cannot use a certificate for device authentication for which you don't have the private key installed. HTH, Jonnathan Hi Jonnathan, Thanks for the reply. I had strong suspicions that it would since it is the basic config that Citrix has in their documentation and I thought, surely they wouldn't recommend a wildly insecure configuration.
Julian Jakob Posted September 20 Posted September 20 You can use Kerberos Auth for switching from the Device Tunnel to the User's Tunnel, also with SSO. Windows Hello is supporting Kerberos, so you just have to rebuild the config on NS regarding Auth policies on AAA.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now